General Best Practice for role-based security

From: Frank J (FrankJ_at_discussions.microsoft.com)
Date: 06/16/04


Date: Wed, 16 Jun 2004 11:11:57 -0700

We are design an intranet web application backed by centralized SQL DB.

After user login, depending on the deptartment, role(manager, employee, data operator) web page will show/or not show certain sections.

Most important, within one page, based on the role of login-user, some functions will hide/show from the user. For example, an account dept. employee shouldn't see client login password, while customer service cannot delete client account. i.e. for a simple page like client info, there will be so many variants. How can I avoid creating redundent user interface for a same information?

I believe this is an common issue and am looking for best practices. How do I get started? Is there any whitepaper or sample available?